HIPAA Security Rule Safeguards: An Overview

HIPAA Rules requires organizations in the healthcare industry place adequate safeguards on sensitive data they hold to ensure that the integrity and security of protected healthcare information (PHI) is maintained.

Many of these stipulations are encompassed in HIPAA’s Security Rule. These are broken down into three categories; administrative, physical, and technical safeguards. These safeguards must be implemented to achieve maximum protection of patient information. HIPAA gives flexibility to individual organizations so that they may assess their own situations and determine which safeguards and best for their circumstances and their patients’ welfare.

The safeguards fall in to two categories; “addressable” and “required”. Required safeguards are self-explanatory; they must be implemented to ensure HIPAA compliance. Addressable safeguards should be implemented unless it is unreasonable to do so, in which case an organisation may implement an appropriate alternative, or not implement the safeguard at all.

One of the most fundamental aspects of data security is the use of strong and robust passwords. This straightforward administrative measure goes a long way in ensuring that only authorized individuals may access patient information. The HIPAA Security Rule, under the section relating to Security Awareness and Training, stipulates Covered Entities (CEs) must implement “procedures for creating, changing and safeguarding passwords”.

There are several commonly known procedures for creating a “strong” password, which may be a long combination of upper case and lower-case letters, numbers, and special characters. Many experts recommend the use of password management tools is a good way of complying with HIPAA password policies. These tools are effective against those who want to obtain the passwords for malicious purposes as, although they can be hacked, the software saves passwords in encrypted format. This renders them unusable by hackers and ensuring that patient data is kept secure.

It is commonly cited advice that passwords should be changed on a regular basis, many cybersecurity experts argue that this is a futile act, as competent hackers should be able to obtain user-generated passwords quickly. Therefore, it doesn’t matter how often they are changed.

In addition to the use of password management tools, many experts recommend two factor authentications as an excellent HIPAA-compliant safeguard. This works by requiring a user to input a PIN code, which is sent to their phone or email account, when they attempt to login to the system using their username and password. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two factor authentication fulfils HIPAA password requirements as it can act as an alternate, but equivalent, security measure to creating, changing, and safeguarding passwords. This works due to the “addressable” requirements stipulated by HIPAA.Addressable requirements mean that Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.” As HIPAA password requirements function to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”, two factor authentications may be used by healthcare professionals instead to protect their patient’s PHI.

Physical safeguards are often overlooked by healthcare professionals, but are arguably the easiest way to ensure that the integrity of PHI is maintained. The US Department of Health and Human Services Office of Civil Rights (OCR) recently emphasized the importance of physical safeguards in their May 2018 Cybersecurity newsletter.

The physical HIPAA data security requirements may refer to the physical locations in which computer hardware is maintained and ensuring that these are secure locations for the storage of PHI. Complying with these guidelines may achieved very easily; something as simple as ensuring that laptops containing sensitive information are kept in a locked drawer when not in use is an effective measure against data theft.

It is vital that employees are made aware of the safeguards in place and trained in maintaining the integrity of PHI. Many facilities are already using safeguards such as two factor authentication, but it is expected that as the use of mobile devices becomes more common in healthcare environments, PHI may be increasingly at risk. Ensuring that adequate physical, administrative, and technical measures are in place is vital to HIPAA compliance.

The safeguards outlined by the Security Rule are summarised as thus:

Technical Safeguards:

Required:

Implement a means of access control

Introduced activity logs and audit controls

Addressable:

Introduce a mechanism to authenticate ePHI

Implement tools for encryption and decryption

Facilitate automatic log-off of PCs and devices

Physical Safeguards:

Required:

Policies for the use/positioning of workstations

Policies and procedures for mobile devices

Addressable:

Facility access controls must be implemented

Inventory of hardware

Administrative Safeguards:

Required:

Conducting risk assessments

Introducing a risk management policy

Developing a contingency plan

Restricting third-party access

Addressable:

Training employees to be secure

Testing of contingency plan

Reporting security incidents

It is highly recommended that any organisation seeking to be fully compliant with HIPAA’s Security Rule seek counsel from both cybersecurity experts and legal professionals. The penalties for HIPAA violations are substantial, so although implementing such safeguards may be expensive up-front, it is likely to pay off in the long run.